Interoperability with Oracle Service Bus 10g Security Environments 6-15 – Active Types: X.509 – Use Default User Name Mapper: True 2. If the users are not added, add the Common Name CN user specified in the certificate as described in Create users in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help. 3. Restart Oracle WebLogic Server.

6.5.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service

To configure Oracle Service Bus 10g client and Oracle WSM 11g Web service, perform the steps described in the following sections: ■ Configuring Oracle WSM 11g Web Service on page 6-15 ■ Configuring Oracle Service Bus 10g Client on page 6-15

6.5.1.1 Configuring Oracle WSM 11g Web Service

1. Create and deploy a SOA composite. 2. Create a copy of the following policy: wss10_x509_token_with_message_ protection_service_policy. Edit the policy settings, as follows: a. Set Encryption Key Reference Mechanism to issuerserial. b. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus. For more information, see Creating a Web Service Policy from an Existing Policy in Oracle Fusion Middleware Security and Administrators Guide for Web Services. 3. Attach the policy to the Web service. For more information about attaching the policy, see Attaching Policies to Web Services in Oracle Fusion Middleware Security and Administrators Guide for Web Services.

6.5.1.2 Configuring Oracle Service Bus 10g Client

1. Create an Oracle Service Bus business service.

2. Create a copy of the Encrypt.xml and Sign.xml policy files.

For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

3. Attach the X.509 policy to the Oracle Service Bus business service request.

wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:s0=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-ut ility-1.0.xsd Note: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with. 6-16 Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager s0:Id=X509Auth wssp:Identity xmlns:wssp=http:www.bea.comwls90securitypolicy wssp:SupportedTokens wssp:SecurityToken TokenType=http:docs.oasis-open.orgwss200401oasis-200401-wss-x509-token-p rofile-1.0X509v3 wssp:SupportedTokens wssp:Identity wsp:Policy

4. Attach the Sign.xml policy file to the Oracle Service Bus business service request.

5. Edit the myEncrypt.xml policy and attach it to the Oracle Service Bus business service request. ?xml version=1.0? wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-u tility-1.0.xsd xmlns:wls=http:www.bea.comwls90securitypolicywseepart wsu:Id=X509Encrypt wssp:Confidentiality wssp:KeyWrappingAlgorithm URI=http:www.w3.org200104xmlencrsa-1_5 wssp:Target wssp:EncryptionAlgorithm URI=http:www.w3.org200104xmlencaes128-cbc wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepartwsp:Bodywssp:Message Parts wssp:Target wssp:KeyInfo wssp:Confidentiality wsp:Policy 6. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response to specify that the security token is unsigned: wssp:Integrity SignToken=false Also, for SOA clients only, comment out the target for system headers, as shown: ?xml version=1.0? wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity- utility-1.0.xsd xmlns:wls=http:www.bea.comwls90securitypolicywseepart wsu:Id=X509Sign wssp:Integrity SignToken=false wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsigrsa-sha1 wssp:CanonicalizationAlgorithm URI=http:www.w3.org200110xml-exc-c14n --wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders Interoperability with Oracle Service Bus 10g Security Environments 6-17 wssp:MessageParts wssp:Target-- wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart wls:SecurityHeaderwsu:Timestamp wssp:MessageParts wssp:Target wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Body wssp:MessageParts wssp:Target wssp:Integrity wssp:MessageAge wsp:Policy 7. Attach the myEncrypt.xml policy file from Step 6 to the Oracle Service Bus business service response. 8. Create a ServiceKeyProvider. 9. Specify Encryption Key and Digital Signature Key, as required. You must use different keys on the Oracle WSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired. 10. Create a proxy service, and create a route to the business service. On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client certificate to SOA. 11. Run the proxy service from the Oracle Service Bus console.

6.5.2 Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service